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Abstract 

We introduce a method for the assessment of trust for n-open systems based on a measurement of 
fidelity and present a prototypic implementation of a complaint architecture. We construct a MAPE 
loop which monitors the compliance between corresponding figures of interest in cyber- and physical 
domains; derive measures of the system’s trustworthiness; and use them to plan and execute actions 
aiming at guaranteeing system safety and resilience. We conclude with a view on our future work. 


1 Introduction 

Fidelity of an open system can be interpreted as the compliance between corresponding figures of interest 
in two separate but communicating domains, see [9]. In cyber-physical systems, perfect fidelity means 
that actions in the physical domain have a well-defined and stable counterpart in the cyber domain, and 
vice-versa. This is an ideal state, as no concrete cyber-physical system may guarantee at all times a 
perfect correspondence between its domains of action. In practice, fidelity is affected by circumstances 
that let the system drift from the optimal case. Our stance is that, by observing the characteristics of 
said drifting, we may introduce a fine-grained characterisation of the quality of system trustworthiness. 
To this aim, we introduce a practical method for the assessment of trust based on the measurement of 
fidelity in computational systems, including cyber-physical ones. As a way to measure fidelity drifting we 
propose to adopt and extend the approach described in muni. We propose to make use of the accrued 
information to assess the characteristics of drifting in fidelity; we derive from it dynamic properties of 
both user and machine; evaluate it in terms of system’s trustworthiness and use it to execute safety- 
assurance actions. This generates a trust-induced MAPE-loop. 

The paper is structured as follows. In Sect. we describe the conceptual model of system fidelity; in 
Sect. the model for fidelity evaluation is implemented in an architecture for a cyber-physical system; in 
Sect. 1^ we build the link to trustworthiness evaluation; finally, in Sect. we conclude by drawing some 
observation and describing further lines of research. 

2 Conceptual understanding of System Fidelity 

In the present section we introduce a conceptual model of system fidelity, derived from the one presented 
in [9]. Our starting point is the concept of n-open systems (nOPS), characterised by the following 
properties: 

• nOPS interact with one or more of the environments they are deployed in. 

• nOPS base their action on the ability to sense n classes of raw facts taking place in their deployment 
environments. 

• nOPS are able to construct and maintain n classes of internal representations of the raw facts, 
called qualia. 
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• Qualia are, to some extent, faithful, meaning that they timely reflect the dynamic variation of the 
corresponding class of raw facts. 

We discuss here fidelity as a characterisation of the above-mentioned faithfulness. More formally, 
given any S G nOPS, we consider n classes of raw facts, [r]i, 1 < i < n, and n classes of binary operations, 
[+]^, such that each of the couples 

( 1 ) 

constitutes an algebraic structure; for instance, when [+]^ is a singleton, then ([r]^, [+]^) is a group. 
Likewise, for any 1 < i < n, we call [q]i the class of qualia corresponding to [r]i and [0]^ the class of 
binary operations corresponding to [0]^. Moreover, as we did for 0, we assume that ([g]i, [0]^) is an 
algebraic structure. Then, for each 1 < i < n, we consider the following function: 


• Mi [oli^ (2) 

mapping the qualia corresponding to any raw fact in [r]^. We refer to the functions as the reflective 
maps of some n-open system S. Reflective maps are assumed to be bijective functions, with being 
the inverted reflective maps of S associating the raw fact corresponding to each input quale. We shall say 
that expresses perfect fidelity between ([rj^, [0]i) and {[q]i, [®]i) if if preserves its algebraic 

structures (i.e., it is an isomorphism). More formally, for any couple of raw facts (ri,r 2 ) G [r]^ x Mi 
for all 0 G [0]i and all • G [0]^: ^i(ri 0 r 2 ) = ^i(ri) • ^i(r 2 ). 

Perfect fidelity may be better understood through an example. Let us assume that S' is a cyber¬ 
physical system responsible for the operation of a mission critical hard-real-time service. An operator 
is responsible for the issuing of requests for service, which is done through a user interface (UI). A 
set of raw facts and prescribed behaviours pertaining to the physical environment are represented as 
“cyber-qualia” and “cyber-behaviours” stored in computer memories. Likewise, a set of “Ul-qualia” 
and “Ul-behaviours” are respectively rendered and operable through the UI. Perfect fidelity states that 
the correspondence between the physical, the cyber, and the UI domains is such that the prescribed 
behaviours as well as the referred raw facts and qualia are consistent on either of the involved domains. 
Thus certain operations and objects represented and rendered via the UI perfectly correspond to opera¬ 
tions and objects encoded in 5'’s computer components, which in turn perfectly correspond to physical 
actions having effects on physical entities. Obviously, perfect fidelity only represents a reference point 
and can not be sustained and guaranteed at all times in real life. A slightly different and more practical 
definition of fidelity is given by a function (fi^l < i < n: 

(t>i ■ [r]i ^ [q]i, such that ^ & [+]i,y ■ & [Bji : + r2) = M^i) ■ Mr2) ■ K{t)- (3) 

As for the function, <f>i returns the qualia associated with the input raw facts. Contrarily to the 
function, the (pi does not preserve their algebraic structures unless the value of the error component (t) 
is zero. The use of lower-case “0” is meant to suggest that (pi represents a less-than-perfect version of 
The A^(t) quantifies a drifting in time (represented by variable t) of the ability to create a trustworthy 
“internal” representation of an experienced raw fact. 

In [9], fidelity is classified in function of the type of drifting. Classes may include, e.g., the following 
cases: 

• Hard-bound fidelity drifting, exemplified by hard-real-time nOPS. 

• Statistically-bound fidelity drifting—as typical of, e.g., soft real-time systems. 

• Unbound fidelity drifting characterised by a “trend”. 

• Unbound fidelity drifting with a random trend. 

Accordingly, very disparate cases can be presented to exemplify imperfect fidelity, e.g. the accidents 
experienced by the linear accelerator Therac-25 EDIH] and the system failure caused by the last Scud 
fired during the Gulf War [24]. In the former case, one of the reasons that led to some of the accidents was 
that the Ul-qualia and the cyber-qualia did not match when the operator was typing at a very fast pace. 
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As a result of such imperfect fidelity, the quantities represented on the screen of the Therac-25 did not 
correspond to the data stored in its memories—and, regrettably, to the amount of radiations supplied to 
the patients by the linear accelerator. In the Patriot case, resulting in 28 US Army reservists being killed 
and 97 injured by a Scud missile on 25 February 1991. The missile-defence system was an nOPS that 
interacted with its environment through a number of context figures that included velocity and time. As 
discussed in [18] , the cyber-quale corresponding to physical time was represented as the number of tenths 
of seconds from a reference epoch and stored in a 24-bit integer variable. Imprecision in the conversion 
of said variable into a real number translated in an unbound drifting of fidelity over time. The more the 
Patriot missile-defence system operated without a reboot, the larger was the pertaining to time and, 
as a consequence, the greater the discrepancy between the expected and the real position and velocity of 
the incoming Scud missile. An obvious workaround to the above unbound drifting is that of rebooting 
the system regularly so as to rejuvenate m the qualia management system and bring back the to 
“safe” values. Although both problem and workaround were known at the time of the accident, no upper 
bound was known beyond which the resilience of the system would be affected. Common belief was that 
the unresilience threshold would never be reached in practice. Regrettably, reality proved the trust on 
that belief to be misplaced. The Patriot missile that had to intercept the Scud never took off. The cases 
of the Therac-25 and of the Patriot system reveal a common denominator: behaviours such as those of a 
human operator or those produced by a numerical algorithm are all translated into a same, homogeneous 
form: that of a stream of numerical data representing samples of the A^(t) dynamic systems. A major 
methodological assumption in the present work is that the above data could be compared with other data 
representing reference conditions. In the Therac-25 case, such data may correspond to, e.g., reference 
user stereotypes of expected operator behaviours, represented for instance as the numerical weights in a 
Hidden Markov Model [15]. Likewise, in the Patriot case, those reference data may correspond to, e.g., 
a threshold representing safe ranges for accumulated or cumulative numerical errors produced through 
the iterations of numerical methods. In both the exemplified cases, assessing fidelity is thus translated 
into the problem of evaluating a “distance” between observed and reference data. 

In what follows, we propose an architecture and a prototypical system to evaluate systematically a 
system’s fidelity drifting. These are modelled on a toy example, easily modified and extended to a real 
case scenario, whose presentation we reserve to an extended version of this work. 

3 Janus’ Architecture 

In view of the above discussion, our approach to systematic evaluation of fidelity requires at least the 
following components: 

• A sensory service, interfacing the deployment environments so as to register a number of “raw 
facts”, namely variations in a number of environmental properties. Raw facts could refer, for 
instance, to variations in luminosity, temperature, or the amount of network bandwidth available 
between two endpoints. 

• A uniform qualia service, providing consistent, timely and reliable access to cyber-qualia (computer- 
based representations of the raw facts). 

• An application layer, providing a convenient means for fidelity assessment and reactive control. 

In what follows we introduce the above components and a prototypical system compliant to the just 
sketched models, see Fig. 

3.1 Sensory and Qualia Services 

Our sensory and qualia service is based on so-called reflective and refractive variables (RRvars) [121 HI] ? 
a tool for the development of nOPS in the C programming language. The idea behind RRvars is quite 
simple: a number of predefined variables provide access to the qualia of corresponding raw facts. Those 
variables are “volatile”, meaning that their content is asynchronously and continuously updated by 
an associated thread. Thus for instance RRvar int cpu does not retain a constant value; rather, it 
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Machin^ Specs 
ie:driftinq(user fidelity) 


value:driftinq(machine fidelity) . 


process2b:./mplaver I 
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new(qualia:rr var cpu)J :CPU Reader 




new(qualia:rr var mplayer) 


new(qualia:rr var gui) 
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Figure 1: Sequence diagram of the Janus’ components. 


is continuously updated by the CpuO thread. Such thread cyclically retrieves the percentage of CPU 
currently in use and stores it in the memory cells associated to cpu as an integer number ranging between 
0 (CPU fully available) and 100 (no CPU available). In the current implementation, which runs on Linux 
and Windows/Cygwin systems, CpuO retrieves its raw facts by calling the top utility. This is referred 
to as processlb in Fig. 

A second and slightly more complex example is given by RRvar int mplayer, a variable updated 
by thread Mplayer(), referred to as process2b in Fig. The latter component communicates with an 
instrumented MPlayer movie player [2] through a simple UDP client/server protocol. By reading the 
content of mplayer one is informed of the state of the MPlayer—see Fig. Currently, the following 
integer values are used: 


#define UDPMSG.STOP 
#define UDPMSG.SLOW 
#define UDPMSG.PAUSED 
#define UDPMSG.START 
#define UDPMSG.SIGNAL 


1 // mplayer 

2 // mplayer 

3 // mplayer 

4 // mplayer 

5 // mplayer 


has finished playing a video 

is encountering problems while playing a video 
has been paused 
has been launched 

caught an exception and is about to exit abnormally. 


A third case is given by RRvar int ui, updated by thread Ui(). This is a special case in that 
this RRvar represents a Ul-qualia (see Sect. reporting raw facts specific of an instance of a user 
interface. This is referred to as process3b-process3e in Fig.[2 Said user interface and the Ui() thread 
communicate transparently of the operator via the same mechanism presented for RRvar mplayer. 
The values returned in RRvar int ui represent usability raw facts derived by comparing the behaviours 
exercised by the current user with “reference behaviours” representing the expected behavioural patterns 
of a trustworthy operator. The method to derive these raw facts is described in nms]. This method 
may be used to detect gradual behavioural driftings (due to, e.g., fatigue, stress, or the assumption of 
psychotropic substances) and sudden behavioural driftings (caused, e.g., by an account takeover or other 
cyber-criminal attacks). 


3.2 Control Layer: Janus 

Janus is the name of our exemplary RRvar client component 0 The structure of Janus is the one typical 
of RRvar clients m and exemplified in Fig. As can be seen from the picture, the RRvar metaphor 
makes it possible to quickly define nOPS components based on the three classes of qualia presented 
above, see Fig. 

^As for the system described in [m, the name of our component comes from mythical Janus Bifrons, the god of 
transitions, who had two faces and thus could observe and reason by considering two different “views” at the same time. 
Of the proposed etymologies of Janus, particularly intriguing here is the one proposed by Paul the Deacon m- hiantem, 
hiare, “to be open”. Due to this fact one would be tempted to refer to Janus Bifrons here as to a 2-open system. 
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/* File Janus.c. Created/modified on Fre Feb 27 10:44:31 CET 2015 */ 

#include "rrvars_init.h" // RRvars initialization routines 
int main (int argc, char *argv[]) 

int cpuold, mplayerold, uiold; 

RR_VARS // initializes the RRvars client 

RRVARCPU // spawns and initializes thread Cpu() 

RRVARMPLAYER // spawns and initializes thread MplayerO 

RR VAR UI // spawns and initializes thread Ui() 

prTntfT"cpu == %d\nmplayer == %d\nui == %d\n", cpu, mplayer, ui); 
while (1) { sleep(l); 

if (cpuold != cpu) printfC'cpu == %d\n", cpuold=cpu); 

if (mplayerold != mplayer) printf("mplayer == %d\n", mplayerold=mplayer); 
if (uiold != ui) printf("ui == %d\n", uiold=ui); 


tinclude "rrvars_end.c" // RRvars termination routines 


Figure 2: Typical structure 
and continuously displayed. 


of an RRvar client. Here three RRvars (cpu, mplayer, and ui) are declared 


v@v-XPS-L701X:~/Copy/docs3/articles/l«)id9etPa9in9/RRvar_v4.3b$ ./Janus 
cpu == 0 
mplayer == 0 

v0v-XPS-L7OlX:~/mplayer_build/mplayer$ ./mplayer ~/Douinloads/Guernica\ \[AlainS 
Resnais\,\ 1950\]\ 350084G_1800\)0K.mp4 

MPlayer SVN-r373Gl-4.9.1 (C) 2000-2015 MPlayer Team 

v0v-XPS-L7OlX:~/Copy/docs3/softuiare/tcltk$ wish interaction04.tcl 

Mplayer server: startiny... 

Ui server: starting... 

Mplayer server: uiaitiny for data on port UDP 1500 

Ui server: uiaitiny for data on port UDP 1510 
mplayer == 0 
ui == 0 

Mplayer server: from 127.0.0.1:UDP49532 : 4 

Mplayer server: mplayer started 
mplayer == 4 

Mplayer server: from 127.0.0.1:UDP49532 : 3 

Mplayer server: mplayer paused 
flayer == 3 

Playiny /home/v/Douinloads/Guernica [Alain Resnais, 1950] 350084G_1800)0K.mp4. 
libavformat version 56.19.100 (internal) 
libavformat file format detected. 

[lavf] stream 0: video (h2G4), -vid 0 

[lavf] stream 1: audio (aac), -aid 0, -alany eny 

VIDEO: [H2G4] 7G8x57G 24bpp 25.000 fps 599.4 kbps (73.2 kbyte/s) 

Clip info: 
major.brand: isom 
minor.version: 512 
compatib1e.brands: isomiso2avclmp41 
encoder: Lavf5G.15.102 

Load subtitles in /home/v/Downloads/ 

Failed to open VDPAU backend libvdpau.nouveau.so: cannot open shared object file 
: No such file or directory 

[vdpau] Error when cal liny vdp.device.create.xll: 1 



Openiny video decoder: [ffmpey] FFmpey's libavcodec codec 


MPlayer 


libavcodec version 5G.21.100 (internal) 

Selected video codec: [ffh2G4] vfm: ffmpey (FFmpey H.2G4) 
Environment variable RRVAR.CLIENT undefined, settiny to 1 
mplayer::udpopen: sendiny data to 'localhost' (IP : 127.0 
sendiny 4 

Starting playback... 

Movie-Aspect is 1.33:1 - prescaling to correct movie aspe 
VO: [xv] 7G8x57G => 768x578 Planar YV12 

A: 21.1 V: 21.1 A-V: -0.002 ct: -0.035 0/ 0 iiz oz 

sending 3PAUSE ===== 

No bind found for key 'MOUSE.DTNO'. 

Lcs rcalisatcurs rcmcrcicnt : Mcscla 

liraun ct Dora Maar. Messieurs 1 

Koot/. Rer^eas. Sabartes. Valsuani. ! 


Figure 3: An instance of the MPlayer connects with Janus and reports its state. 


v0w-XPS-L7OlX;~/Copy/docs3/articles/Uid9etPa9in9/RRvar_u4.3b$ ./Janus 
cpu == 0 
mplayer == 0 
ui == 0 

Mplayer server: startiny... 

Ui server: startiny... 

Mplayer server: uaitiny for data on port UDP 1500 
Ui server: waitiny for data on port UDP 1510 
mplayer == 0 
ui == 0 

Mplayer server: from 127.0.0.1:UDP49532 : 4 
Mplayer server: mplayer started 
mplayer == 4 

Mplayer server: from 127.0.0.1:UDP49532 : 3 
Mplayer server: mplayer paused 
mplayer == 3 

Mplayer server: from 127.0.0.1:UDP49532 : 5 
Mplayer server: mplayer cauyht an exception 
Mplayer server: mplayer cauyht siynal 2 
Mplayer server: mplayer cauyht siynal 2 
Mplayer server: from 127.0.0.1:UDP49532 : 5 
Mplayer server: mplayer cauyht an exception 
Mplayer server: mplayer cauyht siynal 11 
Mplayer server: mplayer cauyht siynal 11 
mplayer == 5 

Ui server: from 127.0.0.1:UDP59838 : 0 
Ui server: from 127.0.0.1:UDP58G67 : 0 
Ui server: from 127.0.0.1:UDP40205 : 0 
Ui server: from 127.0.0.1:UDP35499 : 4 
ui == 4 
□ 


v0v-XPS-L7OlX:~/mplayer_build/mplayer$ ./mplayer ~/Downloads/Guernica\ \[Alain\ 

Resnais\,\ 1950\]\ 350084B_1800\)0K.mp4 

MPlayer SVN-r373Gl-4.9.1 (C) 2000-2015 MPlayer Team 


v0V-XPS-L701X: ~/Copy/docs3/software/tc 1 tk$ w i sh i nteract i on04. tc 

D 


Playiny /home/v/Downloads/Guernica [Alain Resnais, 1950] 350084G_1800)0K.mp4. 
libavformat version 5G.19.100 (internal) 
libavformat file format detected. 

[lavf] stream 0: video (h2G4), -vid 0 

[lavf] stream 1: audio (aac), -aid 0, -alany eny 

VIDEO: [H2G4] 7G8x57B 24bpp 25.000 fps 599.4 kbps (73.2 kbyte/s) 

Clip info: 
major.brand: isom 
minor.version: 512 
corapatib1e.brands: isomiso2avclmp41 
encoder: Lavf5G.15.102 
Load subtitles in /home/v/Dounloads/ 

Failed to open VDPAU backend libvdpau.nouveau.so: cannot open shared object file 
: No such file or directory 

[vdpau] Error when calliny vdp device create xll: 1 


Openiny video decoder: [ffmpey] FFmpey's libavcodec codec family 
libavcodec version 5G.21.100 (internal) 

Selected video codec: [ffh2G4] vfm: ffmpey (FFmpey H.2G4) 


Openiny audio decoder: [ffmpey] FFmpey/libavcodec audio decoders 
AUDIO: 44100 Hz, 2 ch, floatle, 93.G kbit/3.32Z (ratio: 11703->352800) 
Selected audio codec: [ffaac] afm: ffmpey (FFmpey AAC (MPEG-2/MPEG-4 Audio)) 


[AO OSS] audio.setup: Can't open audio device /dev/dsp: No such file or director 
9 

AO: [alsa] 44100Hz 2ch floatle (4 bytes per sample) 

Environment variable RRVAR.CLIENT undefined, settiny to localhost... 
mplayer::udpopen: sendiny data to 'localhost' (IP : 127.0.0.1) 
sendiny 4 

Startiny playback... 

Movie-Aspect is 1.33:1 - prescaliny to correct movie aspect. 

VO: [xv] 7G8x57G => 7G8x57B Planar YV12 

A: 21.1 V: 21.1 A-V: -0.002 ct: -0.035 0/ o m 02 o.GZ 0 0 

sendiny 3PAUSE ===== 

No bind found for key 'MOUSE.DTNO'. 
sendiny 5 
sendiny 5 

Seymentation fault (core dumped) 
v0V-XPS-L701X:'''/mplayer_build/mplayer$ Q 


interaction04.tcl - + x 


Enter name: 



1020304050 


Push Me 

Finished j 

Hello, Frank. 

You are 20 years old. 

--> All is normal -- n 
0 discomfort detected 
Hello, Zappa. 

You are 23 years old. 

--> All is normal -- n 
0 discomfort detected 
Hello, jjhjhjhjjj. 

You are 23 years old. 

--> All is normal -- n 
0 discomfort detected 
Hello, jjhjhjhjjjkkjkjkjkjkjkj 
kjk. 

You are 23 years old. 

--> Script returned {4 
child process exited abnormall 

y} 


Figure 4: The RRvar client connects with both MPlayer and an exemplary user interface. 
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Sunnary of Interactions 



Figure 5: Log of the interaction between user and UI. Between 50 and 60s a rapid burst of keystrokes is 
interpreted as an anomalous situation. 

4 Fidelity as Trustworthiness 

In this final section, we link the model of open systems offered in Sect. and their architecture im¬ 
plemented in Sect. to a model of trustworthiness evaluation. We use fidelity to assess the working 
conditions of an open system and to establish a metric of trustworthiness. Our final objective is to 
provide a qualitative extension of the standard MAPE-loop based on trustworthiness assessment. Trust 
for security, management and reputation systems is gaining a lot of attention in the literature and it 
is typically accounted for as a first-order relation between (possibly autonomous) agents or system’s 
modules, see e.g. 0 0 0 na Eg. Our account considers trust as a second order property character¬ 
ising cumulatively system’s fidelity, where the latter is obtained as the dynamic variation of properties 
of the system’s modules. This approach to second-order trust has been already used for information 
transmission evaluations ( [23] ), access-based control ( [22| ), and software management systems ( [19] ). In 
the present analysis, trustworthiness is used to plan reaction to malfunctioning and restoring of func¬ 
tionalities in cyber-physical systems. As the cases of Therac-25 and the Patriot-missile defence system 
show, unacknowledged drifting can be crucial in maximising unjustified trust to dangerous levels. On 
the other hand, a metric evaluating minimal functionality thresholds can minimise unjustified mistrust, 
reducing confidence that the system will choke and eventually fail (antitrust). Early cases of low true- 
alarm rate or high false-alarm rate in automation do not need to set constants for future behaviour of 
the user. Similarly, criteria to compare intended and current behaviour are essential to allow mechanical 
assessment of user’s inability, incompetence or threats. Eidelity and drifting can provide the systematic 
methodology and quantitative model to continually evaluate and experiment the system’s vulnerability 
in the context of its operations, thus making the dichotomy conditional vs. unconditional trust (faith) 
working. Trust can be thought of as a measure of confidence about minimal drifting from fidelity for 
all the components, and hence that the overall behaviour of the system is sufficiently resilient. In the 
following, we reconstruct the process of fidelity monitoring, trustworthiness evaluation and operation 
execution in terms of a MAPE-loop designed for trust, see HO]. In the architecture presented in Sect.|§ 
the Janus assesses the behaviour of the system. This is parametrised in view of reflective variables 
for CPU consumption and a component’s operations (on the machine side of the system), and for the 
user interface (on the user’s side). Mapping of these variables values as raw facts and qualia provides a 
measure of system’s fidelity: 

• ^cpu • Mcpu [q]cpu^ obtained by the mapping of input values from the top process to 
pre-selected parameters assigned to CPU-consumption behaviour; 

• ^component ' [r] component ^ [olcomponent, obtained by the mapping of input values from the exe¬ 
cutable’s observable behaviour to pre-selected parameters assigned to its operations; 

• ^ui • Mu I [q]ui^ obtained by the mapping of input values from the user’s observable behaviour 
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to pre-selected parameters assigned to a standard or expected user’s behaviour. 

The system’s component monitoring the classes [r]i of raw facts is called the sensor layer] similarly, we 
use qualia layer to refer to the component monitoring the classes [q]i of qualia. The combination of the 
sensory and representative layers constitutes the Monitoring component within our MAPE-loop. Fidelity 
is then approximated as the inversely proportional function of the drifting from appropriate mappings 
We shall refer to the value of user-based mappings as user-defined fidelity (^^); correspondingly, we 
shall call maehine-defined fidelity the value based on mappings related to the machine behaviour. 

For the Janus introduced in Sect.|^ 


= l/^{t)ui (4) 

= 1/f{A{t)cPU, ^{t)exec) (5) 

where / is some function, weighted according to domain-specific and user defined parameters. We refer 
to the set of values $(t) = as the content of our Analysis component, with the global value 

^ parametrised by time. As an example, consider the class of mappings with a value of the sensor 
layer indicating e.g. quick typing and a value of the qualia layer returning a distress indication: in this 
case the fidelity layer reports an high value. As an example across distinct mappings, assume that the 
reflective variable for MPlayer indicates that the application is running slower, while the one for CPU 
monitoring indicates low usage value: this is expressed by a low fidelity value across the two classes in 
Analysing fidelity values across the distinct monitoring layers allows a cumulative evaluation to 
be obtained. This value is monitored by the appereeption layer. This layer is used to evaluate system 
trustworthiness as a global value of user-defined and machine-defined fidelity values. The next level 
is represented by the Janus feeding the content of the appereeption layer into the eontrol layer. This 
corresponds to the Planning component of our system. At this stage, system trustworthiness is matched 
to a resilience scale that identifies and automatically triggers actions aimed at preserving system safety or 
enabling ameliorating conditions. The latter part of the system is the Exeeution component, monitoring 
an aetion layer. Despite the fact that a resilience scale should be highly domain specific, a possible 
general model can be given in terms of four essential stages: 

1. Trustworthy System identifies high levels of ^(t), inducing optimal, sustainable working conditions; 

2. Unstable System identifies high-to-medium and low levels, inducing reconfigurable working 
conditions; 

3. Unsafe System identifies high-to-medium and low levels, inducing alarm-rising working 
conditions; 

4. Untrustworthy System identifies low-levels of ^(t), inducing inadvisable or below-safety working 
conditions. 

The above analysis is summarised in the MAPE-loop in Fig. 

5 Conclusions 

We have presented a prototypical model architecture for a trust-based MAPE-loop for cyber-physical 
systems. The trust evaluation is grounded on the assessment of fidelity drifting with respect to values 
representing ideal reference conditions for both user and machine. Although prototypical, we believe 
that our architecture proves the feasibility of our approach to trustworthiness assessment and paves the 
way towards future implementations. Our goal is to develop systems that are trustworthy in integrating 
quality-of-service and quality-of-experience, by optimising the relations between system-level, “micro¬ 
scopic” aspects and user-level, “macroscopic” ones. A further goal is to extend our architecture into 
that of a MAPE-K loop and apply machine learning methods such that systems based on our approach 
may systematically improve the match with the environments they interact with. Costs analysis for 
the trust-based MAPE-loop remains to be explored. Its use at early stages of design can reduce risks; 
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Figure 6: A MAPE-loop for System trustworthiness based on fidelity. 


our examples shows, nonetheless, that it is possible to deploy the methodology on existing software, by 
selecting relevant variables. Further work will focus on formal modelling of trustworthiness assessment 
in a probabilistic epistemic setting. 
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